New Payment Process for Requests: We have shifted to a new payment process which accepts bank transfer or credit cards via Western Union and will no longer be accepting payments sent through to Connecting Up. For the updated instructions on how to process payments, kindly click here.

Follow us

Site Statistics and User Privacy for Nonprofit Websites

Your website is a place where people – potential supporters, volunteers, and beneficiaries learn about your organization, but it’s also a place where you learn about them. Using various web statistics and analytics tools, you can learn how people are finding your website, where visitors are located geographically, and what parts of your site they’re visiting. You can judge the impact of a particular fundraising letter or ad campaign by finding out how many times the message resulted in an online donation, a newsletter signup, or any other desired action. Used thoughtfully, website statistics can inform website design choices, help you make your website more user-friendly and navigable, and influence your overall communications and marketing strategy.

But is your visitors’ information being used by others? What responsibility do you have to explain to your site’s users what information they’re giving away by visiting your site and to whom? In this article, we’ll explore some privacy issues surrounding web analytics and other website tools. Since Google Analytics (GA) is the most prominent third-party analytics tool on the market, we’ll pay particular attention to it, but the recommendations we offer apply to other third-party services too.

We’ll offer some tips on crafting a privacy policy that explains to your site’s users how you and others will use any information they provide. Having a clear, readable privacy policy is a great idea even if you don’t use GA or a similar service. We can’t decide for you whether to use a third-party web analytics service, but we can help you make a thoughtful decision and take necessary steps to educate your website’s visitors.

This article is intended for readers who are already familiar with the basics of site statistics. If you’ve never thought about utilizing statistics on your nonprofit’s website, start with Idealware’s A Few Good Web Analytics Tools .

Understanding Site Statistics and Web Beacons

Every time someone visits your website, information about that visitor is stored in a server log, including the date and time of the visit, which pages the person viewed, her approximate location, and information about the computer and software she used to access your site. Most modern web hosts let you view and analyze your website’s log files. AWStats and Webalizer are the two most common log-file-analysis tools offered by hosting providers. What makes third-party analysis different from server-log analysis? If you have a third-party tool installed on your website, users’ information is sent directly to the provider of that tool, data which the provider may use for its own purposes. Google, for example, uses Google Analytics data to build your web analytics reports, but it also synthesizes it with data from all of the other websites that use GA in its own private market-research database. In other words, if there’s another website that’s frequently viewed by your organization’s supporters, Google can recognize that correlation and use it to place ads more effectively on behalf of its advertising customers (it can’t, however, connect this information to names of individual users).

To use GA, you must insert a web beacon into each page on your website. A beacon, sometimes referred to more disparagingly as a web bug, is a small piece of code that sends information about the viewer to a third party. According to Know Privacy’s 2009 report on Internet privacy, the 50 most popular websites on the Internet all contain at least one third-party web beacon; some sites carry as many as 100 (for example, one site may use GA, AdWords, and AddThis so this would be three different sets of beacons on a variety of pages throughout the site). Beacons send immediate information about a visitor to their manufacturer and in many cases create cookies to track the visitor’s future interactions. For more on how cookies work, see Understanding Cookies and Their Effect on Your Privacy .

Google’s beacons are particularly ubiquitous: Google can track activity not only on sites with GA installed, but also on sites that subscribe to Google-operated advertising services (AdSense and DoubleClick) or Google’s Widgets and FriendConnect services. Know Privacy estimates that taking all of these offerings into account, Google tracks 88.4% of the traffic on the web. Know Privacy notes that Google does purport to keep this data in separate silos. Google offers advanced features to webmasters who allow it to share data between different services and with partners.

GA isn’t the only third-party analytics tool that uses web beacons, but it’s the most popular. Similar services include StatCounter, Quantcast, and Wordpress Stats. As we alluded to above, advertising services like AdSense and Yahoo! APT also use beacons to track visitor activity; so do some social media widgets like AddThis and Meebo.

How Do Web Beacons Impact User Privacy?

How severe of an invasion of privacy is Google Analytics? It’s a difficult question, and opinions vary. While some people insist that web beacons and cookies must be regulated more stringently to preserve the Internet as a venue for safe communication, others compare GA to legal market-research techniques that advertisers have employed since long before the web existed.

According to a September 2009 report (Part 1, Part 2) from the Electronic Frontier Foundation (EFF, an organization known for its uncompromising approach to Internet privacy issues), large companies have begun to collate browsing histories with users’ social networking profiles, yielding a much more complete picture of Internet users than was previously possible. “We’re fearful that the vast majority of Internet users will continue to be tracked by dozens of companies — companies they've never heard of, companies they have no relationship with, companies they would never choose to trust with their most private thoughts and reading habits.” (To Google’s credit, its Orkut is the only major social networking service the Electronic Frontier Foundation found not to share information with third parties.)

To make matters worse, many privacy policies on popular websites are unclear even to legal experts, let alone laypeople, about the extent to which third parties use visitor data. According to the Know Privacy study, “While most policies stated that information would not be shared with third parties, many of these sites allowed third-party tracking through web bugs… It makes little sense to disclaim formal information sharing but allow functionally equivalent tracking by third parties.”

We spoke with noted library consultant and advocate Jessamyn West on the use of services like GA in libraries and the broader social sector. West was quick to point out that bugs and cookies are neither the only nor the most severe modern threats to privacy. “There are many things that could happen to you as soon as you pick up the telephone, walk out the door, or connect to the Internet. You might have your picture taken and posted online. You might have your credit card skimmed. What’s important is to gauge relative risks and your personal feeling about those risks. Some people refuse to enter their credit card information on the Internet; others are comfortable with that level of risk.”

While more tempered in her assessment than EFF, West reminded us that when you install a web beacon on your organization’s website, the decision impacts not only you but your constituents too. “When you make a decision about privacy on your library’s website, you’re implicitly making that decision on behalf of your users too, and most of the time, they don’t even know that a decision has been made. This is about the library’s personal association with the user: when users interact with a library’s website, that website is a part of the library.” West said that organizations need to strike a reasonable balance between their own needs and their members’ expectation of privacy. “We shouldn’t necessarily stick to our guns for no reason,” she said, “but we should take the implications seriously when we make these sorts of decisions.”

Communicate, Empower, Test

In early 2009, TechSoup made the decision to start using Google Analytics to track traffic on TechSoup.org. It was difficult for us to build a holistic view of site activity on server logs alone, as many components of our website are on different servers; for example, the TechSoup Blog and TechSoup forums are currently hosted by separate providers. We had trouble gaining a clear understanding of how visitors were using our site as a whole. Did mentioning a product donation in an article result in more users requesting that donation? Was traffic to the forums coming primarily from other parts of the site or from outside searches? Without a single record of activity throughout TechSoup.org, it was difficult to answer these questions with much precision.

It’s not our place to endorse or oppose the use of GA in the nonprofit sector, but we did learn a lot from our own experience implementing it. Some users were disheartened by what they perceived as an unnecessary breach of privacy; others wished that we had communicated the switch more clearly. To make matters worse, the GA code caused temporary problems with some of the site’s functionality. The experience taught us three important lessons: communicate changes to users, empower users to opt out, and test changes thoroughly.

Communicate Changes to Users

GA’s terms of service require that your site have a privacy policy that explains that you use GA (see below for more information on privacy policies). That’s a great start, but we suggest posting a notice to your blog or other user-read page before you install GA. Explain what role you see GA playing in your organization’s broader communications strategy and give specific examples of how you foresee site analytics deepening your nonprofit or library’s impact. Another issue to address, particularly for visitors in rural areas or developing countries, is the increased bandwidth requirements of a Javascript-heavy website. Be prepared to answer questions both about the privacy issues and about bandwidth problems.

Your nonprofit’s supporters, friends, and constituents will appreciate the extra effort to inform them regardless of how they feel about your policy. “Explain why you’re using it,” West said, “And have good reasons. If you don’t have good reasons, that sends the message that you really haven’t thought about the implications of these tools.”

Empower Users to Opt Out

Based on user response, we created a page on disabling Google Analytics. This page explains how to avoid sending information to GA by installing Google's opt-out plugin or modifying your hosts file. You could create a page like this one on your own site and link to it from your privacy policy. Feel free to copy or borrow from our text; we just ask that you attribute it to TechSoup.

But what’s the point of using GA if you allow users to disable it? Won’t that skew the results? Yes and no. It may have a small impact on the accuracy of your GA reports, but no statistics tool is 100% accurate. For measuring the impact of a particular message, campaign, or site redesign, precision is more important than accuracy.

Some visitors may choose to disable GA, while other users may be behind corporate firewalls that disallow GA. Still others may have Javascript and third-party cookies disabled altogether. If you use GA to compare the effectiveness of two different email campaigns, it’s unlikely that these groups will disproportionately skew one campaign over another.

There’s always the possibility that introducing new code to your website will have unforeseen consequences. If your site is very simple, testing might mean adding the GA code late at night and spending an hour or two testing the site with a variety of computers, operating systems, and web browsers.

If your site includes interactive elements like PHP, Javascript, cookies, and Flash, implementing GA should be planned, resourced, and tested like any other major IT project. Be prepared to roll the site back to the last working version in case of unforeseen consequences. For more information on resourcing and planning a major IT project, see Technology Triage for Your Nonprofit .

Whatever your site’s size and level of complexity, back it up before adding the GA tracking tags to it. If your website isn’t part of your backup strategy (or if you don’t have a backup strategy), this might be a good time to think about beginning to back up your website regularly. For more information, see the chapter on backup in The Resilient Organization, TechSoup’s disaster planning guide.

Your Website’s Privacy Policy

All but the most basic of websites collect user information (even if you don’t actively monitor your server logs, it’s quite likely that your hosting provider collects and stores them). Your privacy policy is a statement that informs visitors of what information they may be asked to provide (or provide involuntarily), how you’ll use the information, how long you’ll store it, and what (if any) third parties will have access to it. In some cases, a privacy policy is a legal or contractual requirement; even if it’s not required, we think that providing a clear, thorough policy is an ethical imperative.

In today’s world, individuals must decide every day what privacy risks they’re willing to accept. For some people, that means using a local mail server rather than a webmail service, or not using email at all. Some people avoid entering their credit card information online, while others choose not to have cards.

These choices belong to the individual, but in the nonprofit community, we occasionally must make similar decisions on behalf of our donors, supporters, volunteers, and beneficiaries. It would be impossible to maintain a nonprofit or library airtight from privacy risks and irresponsible to ignore our role in user privacy altogether, thus we should strike a balance that caters to users’ needs without curtailing the organization’s impact. When you make a change to your website that impacts user privacy, your constituents will appreciate you taking the time to communicate the change clearly and empower them to opt out.

“I’ve kind of made my peace with this,” West said when asked for her personal take on web privacy. “I’m more-or-less comfortable with the idea of letting my life be an open book. But there are people who feel differently, and you have to respect them. We make accommodations so that people with disabilities or underprivileged people can use the library; well, privacy freaks are part of the public too. We need to make our institutions accessible for them too – find a way to make our tools work for them. It’s an interesting challenge.”